The auditor must include all COI recommendations within the COI audit scope regardless of their implementation status. The auditor must validate all implementation statuses of the SingHealth COI recommendations and; ascertain the adequacy and effectiveness of the implemented controls, including the interim and compensating controls put in place to address the risks mentioned in the COI report.
Auditors are to refer to the audit guidance document titled “Guidelines For Auditing Critical Information Infrastructure” on CSA’s website (
https://www.csa.gov.sg/legislation/supplementary-references) and audit worksheet titled
“Implementation of COI Recommendations - Audit Template” for more details on the COI audit requirements.